• Tycho Andersen's avatar
    samples: add an example of seccomp user trap · fec7b669
    Tycho Andersen authored
    The idea here is just to give a demonstration of how one could safely use
    the SECCOMP_RET_USER_NOTIF feature to do mount policies. This particular
    policy is (as noted in the comment) not very interesting, but it serves to
    illustrate how one might apply a policy dodging the various TOCTOU issues.
    Signed-off-by: default avatarTycho Andersen <tycho@tycho.ws>
    CC: Kees Cook <keescook@chromium.org>
    CC: Andy Lutomirski <luto@amacapital.net>
    CC: Oleg Nesterov <oleg@redhat.com>
    CC: Eric W. Biederman <ebiederm@xmission.com>
    CC: "Serge E. Hallyn" <serge@hallyn.com>
    CC: Christian Brauner <christian@brauner.io>
    CC: Tyler Hicks <tyhicks@canonical.com>
    CC: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    fec7b669
user-trap.c 7.92 KB